Welcome to the workspace token-based Slack app developer preview, still under active development.
Workspace tokens are OAuth 2.0 bearer tokens representing your Slack app's ongoing relationship and agency with a specific Slack team.
In this document we'll cover:
You'll find methods, events, and features supporting workspace tokens stamped with this delicious token candy: workspace
And in case you're on the lookout, this other important documentation is part of this developer preview:
Create a developer preview app
It might be helpful to have one while following along. Keep in mind that during the developer preview, these apps cannot be distributed in the directory.
Traditional Slack apps are sturdy and stalwart app containers and conveyors of many kinds of tokens, and they certainly get the job done.
But they are not without their quirks. Which is your favorite?
These quirks are largely factored out using workspace tokens and our revised permission model.
Workspace token-based Slack apps operate on a new permission model that is both more team-centric and context-centric than the original model.
Once installed with your selected base-level permissions, your app can be added to channels, direct messages, and other conversation types as directed by the team's members and administrators.
Your app can ask for all the permissions it will ever need up front.
But, when and if you prefer, you can also request additional permissions conversationally, such as when you release a new feature, or are offering a trial mode, or just to more progressively inch your way into the hearts and minds of teams.
The Permissions API covers everything you need to know about determining your tokens current state and requesting progressive permissions.
You'll receive a single token at installation representing everything your app can do with the installing team — in real time, every channel your app is added to, every permission it's afforded, and its every capability will be bestowed upon this token.
No more bot tokens. No more user tokens. Just this one workspace token, representing your app and its relationship to a team. Take good care of it.
How do all the token types differ? See token types to compare.
Even without requesting any explicit list of scopes, installing your app yields a collection of scopes applied to a special direct message conversation with the installing user.
This is a great opportunity to progressively request additional scopes and resources by giving the installer an opportunity to select which channels and conversations to add your app to.
It's your moment to show off what your app can do in the safe confines of a private conversation.
Deep link to a conversation with your app from websites, messages, or even redirect to your app during installation flows.
Besides giving you a great interface to your app's permissions and a heartbeat as they change, the new Permissions API allows your app to interactively and progressively request additional permissions and capabilities within context to the actions your app takes.
This document is already long and the Permissions API is in another castle: Read the Permissions API documentation for the full story. š°
Even so, the Permissions API is so pivotal to the workspace token experience, here are more highlights:
When these new kinds of Slack apps are first installed, it's done so for an entire team. Installation is just a fact. An app is installed or it's not and some member of the team installed it, but that team member is not the app's "keeper."
New Slack apps receive progressive permissions. The best way to upgrade permissions beyond a direct message interaction is through conversation — telling the user what your app can do and giving them a button that will begin a Slack native dialog for upgrading permissions.
This permission system is resource-centric. Experientially, one might even say it's channel and conversation-centric. The permission scopes granted to your app are granted within the context of specific resources, channels, or conversations.
Often those permissions are narrow — maybe just a DM with 1 or 2 users. Maybe just read and write access to a single public channel. Or maybe your app has permission to understand the wider universe of the whole team.
All of these team permissions are encoded in a single access token. This access token can do anything your app has permission to do within the context of a single team.
Follow along with this guide to discover the most salient new Slack app features.
In general, these new Slack apps cannot do the following:
chat.postMessage with the new channel & conversation selection model in the Permissions API instead.Some functionality previously made possible through impersonating the authenticating user, like creating and inviting users to channels, is no longer possible with this model.
Something you really want to do but can't? Let us know!
Wow that's a lot of text you've read so far! And you're only now getting started?
We think it's best to approach this new way of creating Slack apps as a fresh, new experience. Write something completely new. Hack. We don't recommend trying to make your old app run on this new model yet. Apps built with this new model cannot yet be added to the directory.
Build something fun, use some features you may not yet be familiar with, try something new, please break things.
No direct migration path for existing apps is provided yet; more detail on migration will be communicated in the coming weeks.
Did you create a workspace token-based app yet? Go ahead and create this fancy new app container.
Once created, install your new app onto your team. You don't need OAuth and you don't even need to code anything yet.
As part of installation, you'll be asked if your app can "Access a private conversation with you". That sounds fantastic. Approve it.
Essentially, all workspace token-based Slack apps are granted a special "application direct message" with the installing user.
Now your app can start conversing with you. Follow the prompts to send a test message. Try the in-page curl example to get a real feel for it.
curl -X POST --data 'token=xoxa-token-token-token-token&channel=%40episod&text=Hello%2C%20world!' https://slack.com/api/chat.postMessage
After that, visit your Slack team and open up the conversation with your new app.
Your app is now ready to do and be much more.
This new Slack app model definitely puts a focus on conversations but your app is not required to be a bot.
If you're familiar with the old Slack app model where apps could contain a separate "bot user" entity, you'll find that now your whole app is capable of being a bot, no special user or token required.
Instead of being given a blanket set of bot permissions, workspace token-based apps are more narrowly and explicitly scoped.
Upon installation, your app was granted chat:write, im:read, and im:history all applied to that single conversation with you.
Asking for progressive permissions is optional but awesome.
Your "app message" — that initial Hello world to your app's first user will remain a one-sided conversation until we provide your app with a way to receive messages from conversations like this one.
To truly hold court with a user, you'll need to put together a few different Slack app features:
chat.postMessage to send messages to users in the channels your app participatesYour app by default will be granted the chat:write, im:read, and im:history scopes granted toward a single resource: the app's installer. Your app can't send that "hello world" message to just any user — though it has those three scopes, they only apply to that single conversation.
This triad of scopes lets your app behave like a bot in that channel — if it wants to. And it should. Even if your app is just a slash command, anticipate that users might want to chat with it. Maybe you just want to respond with a friendly message on how to use the slash command.
To receive these messages, you should parlay these permissions into an Events API subscription to messages.im. Then when a user sends a message via direct message to your bot, you'll receive a single event detailing its contents.
Your app is given the chat:write OAuth scope applied to this direct message, so it has access to chat.postMessage and you can respond to the user with that.
During the Alpha, new Slack apps are currently installable via two approaches:
Slack OAuth 2.0 implementation remains largely unchanged for workspace token-based Slack apps. If you're new to Slack's OAuth sequence or OAuth 2.0 in general, we recommend reading our OAuth guide to understand the sequence of steps involved.
https://slack.com/oauth/authorize with the appropriate parameters.code valuehttps://slack.com/api/oauth.access with a few parameters, including that code value we sent you in the last stepxoxa-, representing your current permission level with that team.As with all of our OAuth flows, apps can be installed multiple times by the same user or different users. In the new model, apps are installed onto the whole team but the installing user decides which resources to provision to the Slack app.
There are other ways for users to elevate the permissions and resources afforded to your app. Read all about them in the Permissions API.
When negotiating workspace tokens with oauth.token, you'll receive JSON payloads differing significantly from the typical response found in oauth.access.
Dwell on this little bit of well-intentioned complexity:
{
"ok": true,
"access_token": "xoxa-access-token-string",
"token_type": "app",
"app_id": "A012345678",
"app_user_id": "U0AB12ABC",
"installer_user_id": "U061F7AUR",
"authorizing_user_id": "U061F7AUR",
"team_name": "Subarachnoid Workspace",
"team_id": "T061EG9Z9",
"scopes": {
"app_home": [
"chat:write",
"im:history",
"im:read"
],
"team": [],
"channel": [
"chat:write"
],
"group": [
"chat:write"
],
"mpim": [
"chat:write"
],
"im": [
"chat:write"
],
"user": []
},
"single_channel_id": "C061EG9T2"
}
This structure communicates a short story:
T061EG9Z9 ("Subarachnoid Workspace") for your Slack app identified by the ID A012345678.U061F7AUR.chat:write scope, but access was only granted to a single public channel resource, C061EG9T2.app_home.oauth.token response field guideaccess_token - Your new workspace token that begins with xoxa. It can be very long.token_type - You'll see app here. Workspace tokens were once known as app tokens. Maybe someday this value will become workspace.app_id - This is the unique ID for your whole Slack app.app_user_id - This is the user ID of your app. It's a user! It's an app! It's a user! It's an app! The user ID is unique to the team installing it.installer_user_id - This is the user ID of the user that originally installed this app.authorizing_user_id - This user ID belongs to the user currently undergoing the authorization process.team_name - This is what the team calls itself.team_id - This is the unique ID for the team.permissionsapps.permissions.info to look up all of your app's permissions for this workspace instead.scopes - the OAuth scopes awarded to your app in this particular installation attempt.single_channel_id - if this app is approved for a single channel, that channel will be listed here. See single channel authorizations for more info.Use apps.permissions.info to look up your app's permissions on the fly.
Scopes are grouped by resource type:
app_home - your app's direct message conversation with the installer of this appteam - team-level permissions assigned to your appchannel - public channelsgroup - private channelsmpim - multi-member direct messagesim - direct messagesuser - permissions to work with or as specific usersThe Permissions API describes in more detail how resources and scopes work together to enforce what your app can do.
To request access to only a single channel, add single_channel=true to the querystring you generate for the oauth/authorize step of the OAuth flow.
Users will be asked to approve your app's requested scopes just for a single channel they choose. When the approval process is complete, the response to oauth.token or oauth.access will contain a single_channel_id field noting the channel resource.
Repeating this process multiple times on the same workspace adds additional channel grants to your app, one by one.
Use this approach with the chat:write and channels:history scopes to effectively install a bot into a single channel.
Ask for only chat:write just to post notifications into a single channel, turning chat.postMessage into a replacement for incoming webhooks.
The Events API is a central ingredient to workspace token-based apps.
While you no longer can subscribe to "bot events," they're also irrelevant to your token type. The meaning of "team events" deepens and instead of being delivered through the perspective of your installing user, you receive only the events resourced to your app.
These new app events are available for the Events API as part of the new Permissions API.
Keep your app apprised on which scopes and resources it has access to for a specific team. These events are made even more useful when progressively negotiating new permissions via the apps.permissions.request method.
resources_added - your app was granted access to resources (like specific channels, a collection of channels, specific IM, emoji, etc.)resources_removed - access that your app had to a set of resources has been removedscope_granted - your app was given access to a specific scopescope_denied - your app was denied access to a specific scopeIncoming webhooks are not supported by workspace token-based apps.
Emulate the behavior of an incoming webhook by asking for only the chat:write scope and use a [single channel authorization](# single_channel_authorization). Then build and post your messages to the target channel using chat.postMessage.
Workspace token-based apps can't connect to the RTM API. There's no permission scope in the progressive model that grants the level of access required to connect to Slack's message server. For near real time event delivery, you must use the Events API.
We're not quite ready to migrate existing Slack apps to the workspace token model. For now, consider this all part of an elaborate developer preview. We'll let you know when workspace tokens are ready for production apps.
Thanks for trying our developer preview for workspace token-based Slack apps! We welcome your feedback. Email us at developers@slack.com.